I have several old devices. Upgrading them is either impossible, they are unsupported, or I can’t be bothered upgrading the. Access is only via a dedicated VLAN within my home network.
When stuck, I posted to Twitter and that led me to OpenSSH Legacy Options. This page describes what to do when OpenSSH refuses to connect with an implementation that only supports legacy algorithms.
Here’s what I just tried:
$ ssh pdu1 Unable to negotiate with 10.52.0.2 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 $ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 pdu1 Unable to negotiate with 10.52.0.2 port 22: no matching cipher found. Their offer: 3des-cbc,blowfish-cbc $ ssh -Q cipher 3des-cbc aes128-cbc aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se aes128-ctr aes192-ctr aes256-ctr aes128-gcm@openssh.com aes256-gcm@openssh.com chacha20-poly1305@openssh.com $ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c 3des-cbc pdu1 ssh_dispatch_run_fatal: Connection to 10.52.0.2 port 22: Invalid key length $ ssh-add -D All identities removed. $ ssh -a -oKexAlgorithms=+diffie-hellman-group1-sha1 -c 3des-cbc pdu1 ssh_dispatch_run_fatal: Connection to 10.52.0.2 port 22: Invalid key length $ ssh-add -l The agent has no identities.
Let’s try verbose:
$ ssh -vvvv -oKexAlgorithms=+diffie-hellman-group1-sha1 -c 3des-cbc pdu1 OpenSSH_7.6p1, LibreSSL 2.6.2 debug1: Reading configuration data /Users/dan/.ssh/config debug1: /Users/dan/.ssh/config line 5: Applying options for * debug1: /Users/dan/.ssh/config line 168: Applying options for pdu1 debug3: kex names ok: [diffie-hellman-group1-sha1] debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 48: Applying options for * debug2: ssh_connect_direct: needpriv 0 debug1: Connecting to pdu1.int.unixathome.org port 22. debug1: Connection established. debug1: key_load_public: No such file or directory debug1: identity file /Users/dan/.ssh/id_rsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /Users/dan/.ssh/id_rsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /Users/dan/.ssh/id_dsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /Users/dan/.ssh/id_dsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /Users/dan/.ssh/id_ecdsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /Users/dan/.ssh/id_ecdsa-cert type -1 debug1: identity file /Users/dan/.ssh/id_ed25519 type 3 debug1: key_load_public: No such file or directory debug1: identity file /Users/dan/.ssh/id_ed25519-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_7.6 debug1: Remote protocol version 2.0, remote software version cryptlib debug1: no match: cryptlib debug3: fd 5 is O_NONBLOCK debug1: Authenticating to pdu1.int.unixathome.org:22 as 'dvl' debug3: hostkeys_foreach: reading file "/Users/dan/.ssh/known_hosts" debug1: /Users/dan/.ssh/known_hosts:400: parse error in hostkeys file debug3: send packet: type 20 debug1: SSH2_MSG_KEXINIT sent debug3: receive packet: type 20 debug1: SSH2_MSG_KEXINIT received debug2: local client KEXINIT proposal debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,ext-info-c debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa debug2: ciphers ctos: 3des-cbc debug2: ciphers stoc: 3des-cbc debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: compression ctos: none,zlib@openssh.com,zlib debug2: compression stoc: none,zlib@openssh.com,zlib debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug2: peer server KEXINIT proposal debug2: KEX algorithms: diffie-hellman-group1-sha1 debug2: host key algorithms: ssh-rsa debug2: ciphers ctos: 3des-cbc,blowfish-cbc debug2: ciphers stoc: 3des-cbc,blowfish-cbc debug2: MACs ctos: hmac-sha1,hmac-md5 debug2: MACs stoc: hmac-sha1,hmac-md5 debug2: compression ctos: none debug2: compression stoc: none debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug1: kex: algorithm: diffie-hellman-group1-sha1 debug1: kex: host key algorithm: ssh-rsa debug1: kex: server->client cipher: 3des-cbc MAC: hmac-sha1 compression: none debug1: kex: client->server cipher: 3des-cbc MAC: hmac-sha1 compression: none debug1: sending SSH2_MSG_KEXDH_INIT debug2: bits set: 510/1024 debug3: send packet: type 30 debug1: expecting SSH2_MSG_KEXDH_REPLY debug3: receive packet: type 31 ssh_dispatch_run_fatal: Connection to 10.52.0.2 port 22: Invalid key length
The above was from OSX 10.13.3 (17D47). Let’s try from FreeBSD.
FreeBSD
In this attempt, I had to specify the user on the connection. On my laptop, that was covered by my ~/.ssh/config file.
[dan@slocum:~] $ ssh -vvvv -oKexAlgorithms=+diffie-hellman-group1-sha1 -c 3des-cbc dvl@pdu1
OpenSSH_7.2p2, OpenSSL 1.0.2k-freebsd 26 Jan 2017
debug1: Reading configuration data /usr/home/dan/.ssh/config
debug3: kex names ok: [diffie-hellman-group1-sha1]
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 53: Deprecated option "useroaming"
debug2: resolving "pdu1.int.unixathome.org" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to pdu1.int.unixathome.org [10.52.0.2] port 22.
debug1: Connection established.
debug1: identity file /usr/home/dan/.ssh/id_rsa type 1
debug1: Fssh_key_load_public: No such file or directory
debug1: identity file /usr/home/dan/.ssh/id_rsa-cert type -1
debug1: Fssh_key_load_public: No such file or directory
debug1: identity file /usr/home/dan/.ssh/id_dsa type -1
debug1: Fssh_key_load_public: No such file or directory
debug1: identity file /usr/home/dan/.ssh/id_dsa-cert type -1
debug1: Fssh_key_load_public: No such file or directory
debug1: identity file /usr/home/dan/.ssh/id_ecdsa type -1
debug1: Fssh_key_load_public: No such file or directory
debug1: identity file /usr/home/dan/.ssh/id_ecdsa-cert type -1
debug1: Fssh_key_load_public: No such file or directory
debug1: identity file /usr/home/dan/.ssh/id_ed25519 type -1
debug1: Fssh_key_load_public: No such file or directory
debug1: identity file /usr/home/dan/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.2 FreeBSD-20161230
debug1: Remote protocol version 2.0, remote software version cryptlib
debug1: no match: cryptlib
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to pdu1.int.unixathome.org:22 as 'dvl'
debug3: Fssh_hostkeys_foreach: reading file "/usr/home/dan/.ssh/known_hosts"
debug3: Fssh_record_hostkey: found key type RSA in file /usr/home/dan/.ssh/known_hosts:306
debug3: Fssh_load_hostkeys: loaded 1 keys from pdu1.int.unixathome.org
debug3: Fssh_hostkeys_foreach: reading file "/usr/home/dan/.ssh/known_hosts2"
debug3: order_hostkeyalgs: prefer hostkeyalgs: ssh-rsa-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,ext-info-c
debug2: host key algorithms: ssh-rsa-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519
debug2: ciphers ctos: 3des-cbc
debug2: ciphers stoc: 3des-cbc
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: diffie-hellman-group1-sha1
debug2: host key algorithms: ssh-rsa
debug2: ciphers ctos: 3des-cbc,blowfish-cbc
debug2: ciphers stoc: 3des-cbc,blowfish-cbc
debug2: MACs ctos: hmac-sha1,hmac-md5
debug2: MACs stoc: hmac-sha1,hmac-md5
debug2: compression ctos: none
debug2: compression stoc: none
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: diffie-hellman-group1-sha1
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: 3des-cbc MAC: hmac-sha1 compression: none
debug1: kex: client->server cipher: 3des-cbc MAC: hmac-sha1 compression: none
debug1: sending SSH2_MSG_KEXDH_INIT
debug2: bits set: 523/1024
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEXDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ssh-rsa SHA256:hPsoJNLzAZ+7LpBnPQFMcWEJtsovKc+uJm+0utUmyfw
debug3: verify_host_key_dns
DNS lookup error: general failure
debug3: Fssh_hostkeys_foreach: reading file "/usr/home/dan/.ssh/known_hosts"
debug3: Fssh_record_hostkey: found key type RSA in file /usr/home/dan/.ssh/known_hosts:306
debug3: Fssh_load_hostkeys: loaded 1 keys from pdu1.int.unixathome.org
debug3: Fssh_hostkeys_foreach: reading file "/usr/home/dan/.ssh/known_hosts2"
debug1: Host 'pdu1.int.unixathome.org' is known and matches the RSA host key.
debug1: Found key in /usr/home/dan/.ssh/known_hosts:306
debug2: bits set: 529/1024
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug2: set_newkeys: mode 0
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS received
debug2: key: /usr/home/dan/.ssh/id_rsa (0x80208e200)
debug2: key: /usr/home/dan/.ssh/id_dsa (0x0)
debug2: key: /usr/home/dan/.ssh/id_ecdsa (0x0)
debug2: key: /usr/home/dan/.ssh/id_ed25519 (0x0)
debug3: send packet: type 5
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
Authenticated with partial success.
debug2: key: /usr/home/dan/.ssh/id_rsa (0x0)
debug2: key: /usr/home/dan/.ssh/id_dsa (0x0)
debug2: key: /usr/home/dan/.ssh/id_ecdsa (0x0)
debug2: key: /usr/home/dan/.ssh/id_ed25519 (0x0)
debug1: Authentications that can continue: password
debug3: start over, passed a different list password
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup password
debug3: remaining preferred: ,keyboard-interactive,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
dvl@pdu1.int.unixathome.org's password:
'debug3: send packet: type 50
debug2: we sent a password packet, wait for reply
debug3: receive packet: type 52
debug1: Authentication succeeded (password).
Authenticated to pdu1.int.unixathome.org ([10.52.0.2]:22).
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug3: send packet: type 90
debug1: Entering interactive session.
debug1: pledge: network
debug3: receive packet: type 91
debug2: callback start
debug2: fd 3 setting TCP_NODELAY
debug3: Fssh_ssh_packet_set_tos: set IP_TOS 0x10
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 1
debug3: send packet: type 98
debug2: channel 0: request shell confirm 1
debug3: send packet: type 98
debug2: callback done
debug2: channel 0: open confirm rwindow 8192 rmax 1024
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: PTY allocation request accepted on channel 0
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: shell request accepted on channel 0
American Power Conversion Network Management Card AOS v2.6.4
(c) Copyright 2004 All Rights Reserved Rack PDU APP v2.6.5
-------------------------------------------------------------------------------
Name : pdu1 Date : 01/30/2018
Contact : Dan Langille Time : 01:15:12
Location : rack01 bottom User : Administrator
Up Time : 2 Days 8 Hours 10 Minutes Stat : P+ N+ A+
Switched Rack PDU: Communication Established
------- Control Console -------------------------------------------------------
1- Device Manager
2- Network
3- System
4- Logout
<ESC>- Main Menu, <ENTER>- Refresh, <CTRL-L>- Event Log
>
SUCCESS!
Proxy host
As I type this, I’m tired and I don’t want to pursue this next idea. Proxy tunnels.
Have a read of this and let me know: Creating a transparent SSH tunnel through a bastion host.
I am sure that by using the above idea, I can ssh from my laptop through the bastion host, and get onto that PDU.
The rest is left as an exercise for the reader. Please post in the comments. Thank you.
Putting this into ~/.ssh/config on the bastion host:
gives a good result: